Posted by: David Harley | February 6, 2016

‘Flash’ Scareware Installer: retro but not in a good way

An entry by Johannes Ullrich in the Internet Storm Center’s Handlers Diary looks at an interesting example of a fake Flash update targeting users of OS X: Fake Adobe Flash Update OS X Malware.

It’s not so much the fact that it passes itself off as Flash Player that’s interesting – that’s not particularly unusual, especially for adware – or even that it targets Mac users. Rather, it’s the fact that it actually installs scareware. A few years ago, there was a spate of scareware – notably Flashback – targeting OS X users, but in these days of galloping, ubiquitous ransomware, that seems almost touchingly retro, especially as it apparently also installs a genuine Flash update. I don’t think that makes it particularly public-spirited, though: it’s more to do with making it less obvious that the installer is malicious. It’s signed with a genuine Apple developer certificate, so it wouldn’t be  flagged by Gatekeeper (unless it’s been updated since).

Ullrich includes a short video showing how it infects. He also states that detection by security software was pretty poor as measured by VirusTotal, but as he didn’t include a hash or a link to VT, I can’t say if that’s still the case.

Other commentary by Graham Cluley for Intego and Zeljka Zorz for Help Net.

David Harley

Posted by: David Harley | February 2, 2016

Quick Heal: more Attacks on Android Users

Sanjay Katkar, CTO at Quick Heal, writes for Help Net Security that Android users on high alert as malware, phishing and scams are projected to rise. His premise is based on an impressive growth in Android malware samples, families, and family variants.

He draws our attention to a number of factors:

  • The very high proportion of adware noted in those samples
  • A CAPTCHA avoidance flaw in Google Play
  • A flaw in the Gmail Android app making email address spoofing very simple
  • Potential risks from smartwatches and other IoT devices

Perhaps the real issue, though, is not that in general Android users are probably not on high alert for malware, but probably should be. Although Google would probably disagree. As will, probably, a small flurry of Android fanbois rushing to tell me that iOS is much more insecure than Android. I’m staying out of that one…

David Harley

Posted by: David Harley | January 30, 2016

Trojanized Android Games

On 28th January 2016, Dr.Web warned that a Trojan targeted dozens of games on Google Play. The company says that Android.Xiny.19.origin steals information including the device’s IMEI, MAC address, the network providers name, and the OS version and current language. It may also download and run an APK application package from the C&C server. Interestingly, the app is served steganographically: that is, it’s hidden in an image, presumably in the hope of avoiding detection by security software.

While the company has advised Google of the issue, as of the 28th January it seems that the apps were still present on Google Play. I don’t know if this is still the case, but even if it isn’t, the app may still be available on other sites. And, of course, the likelihood is that some people have already downloaded one of the 60+ apps affected.

David Harley



Posted by: David Harley | January 29, 2016

Android ransomware posing as porn app

[Originally blogged for AVIEN, where I maintain a ransomware information resource page, but of relevance here too since I often write here about Android.]

Martin Zhang blogs for Symantec about the Android ransomware the company calls Android.Lockdroid.E here: Android ransomware variant uses clickjacking to become device administrator

The malware passes itself off as a porn app. It encrypts files, but if it succeeds in gaining access rights, it also has the ability to lock the device, change the PIN, and delete data via a factory reset.

The clickjacking technique it uses apparently works with versions of Android prior to version 5.0. Unfortunately, that may include up to 67% of Android devices.

Commentary by Pierluigi Paganini here. 

Posted by: David Harley | January 28, 2016

Crashing Safari: beware of shortened URLs

Australia’s Stay Smart Online has issued an alert warning of how a Social media prank crashes Apple Safari. The browser freeze is caused by a snippet of looping JavaScript that keeps calling the history.pushState() method in the HTML5 API. The attack – as far as I’m concerned, it’s a Trojan, not a prank, even if its effects are usually inconvenient rather than critical (though they could result in lost data) – does affect other browsers to an extent, but Safari seems to be particularly susceptible (on OS X and on iOS). According to 9To5Mac, it freezes on Macs and may require a system restart to recover, while

“On some iPhones and iPads, the glitch may cause your iOS device to reboot.”

Stay Smart Online observes that:

  1. Current Chrome tabs will stop responding but the web browser will continue to work
  2. Firefox will catch the malicious code and ask if the user wants to stop it executing.
  3. Internet Explorer will temporarily stop working, but resume working after a short time.

The site is helpfully named, but it appears that ‘trolls’ are directing their victims to it using shortened URLs such as, and tinyURL. Yet another reason for not following shortened URLs where you can’t preview the real URL.

David Harley


Posted by: David Harley | January 27, 2016

No, we don’t have your phone!

For Sophos, John Zorabedian explains Why “find my phone” apps keep sending people to one couple’s house. Apparently it isn’t because they’re stealing phones.

The article specifically mentions Find My iPhone for iOS and Device Manager for Android, but I would have thought that the geolocation issues that lead to problems for particular addresses might be common to a range of apps that offer some sort of anti-theft device tracking, but it’s not an issue I’ve explored up to now. No harm in checking with the software supplier if you have such an app enabled, anyway.

David Harley

Posted by: David Harley | January 27, 2016

Apple and Privacy: what about iCloud?

Well, according to Joshua Kopstein’s article for Motherboard – Apple Can Still See Your iMessages If You Enable iCloud – when Apple insists that it doesn’t have a decryption key for iMessages, that isn’t altogether the case. He claims that enabling iCloud for backup generates copies ‘encrypted on iCloud using a key controlled by Apple, not you’.

You may not mind Apple having access to your data, but this does suggest leverage for a subpoena. Tim Cook is quoted in an earlier article as saying that:

“If the government laid a subpoena to get iMessages, we can’t provide it. It’s encrypted and we don’t have a key. And so it’s sort of — the door is closed.”

However, this article suggests that the door can still be opened from the inside. In some circumstances, at any rate.

David Harley

Posted by: David Harley | January 25, 2016

Updates Update

…in case they hadn’t hit your radar. Actually, commentary from the security industry rather than the actual updates.

You can always tell we’re serious when we finish our titles with an exclamation mark. Well, I’m not an exclamation mark sort of person, but I do think it’s serious.

But it’s not just about iOS updates, as Zeljka Zorz points out for Help Net: Apple kills 28 flaws in OS X, iOS and QuickTime

David Harley

Posted by: David Harley | January 23, 2016

Samsung security updating criticized

Kieren McCarthy reports for The Register that Samsung sued over ‘lackadaisical’ Android security updates: Up your game, says Dutch consumer group.

According to the Dutch Consumers’ Association, 82% of Dutch users aren’t running the latest version, and they blame Samsung for not ‘prodding’ them enough.

David Harley

Posted by: David Harley | January 15, 2016

Bypassing Gatekeeper (again)

Yes, Patrick Wardle of Synack has done it again.

Apple’s fix for the exploit reported by Ars Technica back in September and enabling him to bypass Gatekeeper was to blacklist the files he reported to them privately. However, when Wardle found another trusted file that enabled him to use the same attack methodology.

Wardle, who will be making a related presentation at Schmoocon this weekend, delivered a presentation at Virus Bulletin in 2015 intended to ‘expose the inner workings of Gatekeeper and … delve into the concept of quarantined files.’

Hat tip to Randy Knobloch (@randyknobloch) for drawing my attention to the Ars Technica article.

Commentary by Graham Cluley for Intego here.

Comment by John Leyden for The Register here.

David Harley

Older Posts »



Get every new post delivered to your Inbox.

Join 55 other followers